[thirdparty/openssl.git] / test / ct_test.c

/*
 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <ctype.h>
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <openssl/ct.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "testutil.h"

#ifndef OPENSSL_NO_CT
/* Used when declaring buffers to read text files into */
# define CT_TEST_MAX_FILE_SIZE 8096

static char *certs_dir = NULL;
static char *ct_dir = NULL;

typedef struct ct_test_fixture {
    const char *test_case_name;
    /* The current time in milliseconds */
    uint64_t epoch_time_in_ms;
    /* The CT log store to use during tests */
    CTLOG_STORE* ctlog_store;
    /* Set the following to test handling of SCTs in X509 certificates */
    const char *certs_dir;
    char *certificate_file;
    char *issuer_file;
    /* Expected number of SCTs */
    int expected_sct_count;
    /* Expected number of valid SCTS */
    int expected_valid_sct_count;
    /* Set the following to test handling of SCTs in TLS format */
    const unsigned char *tls_sct_list;
    size_t tls_sct_list_len;
    STACK_OF(SCT) *sct_list;
    /*
     * A file to load the expected SCT text from.
     * This text will be compared to the actual text output during the test.
     * A maximum of |CT_TEST_MAX_FILE_SIZE| bytes will be read of this file.
     */
    const char *sct_dir;
    const char *sct_text_file;
    /* Whether to test the validity of the SCT(s) */
    int test_validity;
} CT_TEST_FIXTURE;

static CT_TEST_FIXTURE set_up(const char *const test_case_name)
{
    CT_TEST_FIXTURE fixture;
    int ok = 0;

    memset(&fixture, 0, sizeof(fixture));
    fixture.test_case_name = test_case_name;
    fixture.epoch_time_in_ms = 1473269626000; /* Sep 7 17:33:46 2016 GMT */
    if (!TEST_ptr(fixture.ctlog_store = CTLOG_STORE_new())
            || !TEST_int_eq(
                    CTLOG_STORE_load_default_file(fixture.ctlog_store), 1))
        goto end;
    ok = 1;

end:
    if (!ok) {
        CTLOG_STORE_free(fixture.ctlog_store);
        TEST_error("Failed to setup");
        exit(EXIT_FAILURE);
    }
    return fixture;
}

static void tear_down(CT_TEST_FIXTURE fixture)
{
    CTLOG_STORE_free(fixture.ctlog_store);
    SCT_LIST_free(fixture.sct_list);
}

static char *mk_file_path(const char *dir, const char *file)
{
# ifndef OPENSSL_SYS_VMS
    const char *sep = "/";
# else
    const char *sep = "";
# endif
    size_t len = strlen(dir) + strlen(sep) + strlen(file) + 1;
    char *full_file = OPENSSL_zalloc(len);

    if (full_file != NULL) {
        OPENSSL_strlcpy(full_file, dir, len);
        OPENSSL_strlcat(full_file, sep, len);
        OPENSSL_strlcat(full_file, file, len);
    }

    return full_file;
}

static X509 *load_pem_cert(const char *dir, const char *file)
{
    X509 *cert = NULL;
    char *file_path = mk_file_path(dir, file);

    if (file_path != NULL) {
        BIO *cert_io = BIO_new_file(file_path, "r");

        if (cert_io != NULL)
            cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
        BIO_free(cert_io);
    }

    OPENSSL_free(file_path);
    return cert;
}

static int read_text_file(const char *dir, const char *file,
                          char *buffer, int buffer_length)
{
    int len = -1;
    char *file_path = mk_file_path(dir, file);

    if (file_path != NULL) {
        BIO *file_io = BIO_new_file(file_path, "r");

        if (file_io != NULL)
            len = BIO_read(file_io, buffer, buffer_length);
        BIO_free(file_io);
    }

    OPENSSL_free(file_path);
    return len;
}

static int compare_sct_list_printout(STACK_OF(SCT) *sct,
                                     const char *expected_output)
{
    BIO *text_buffer = NULL;
    char *actual_output = NULL;
    int result = 0;

    if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem())))
        goto end;

    SCT_LIST_print(sct, text_buffer, 0, "\n", NULL);

    /* Append \0 because we're about to use the buffer contents as a string. */
    if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
        goto end;

    BIO_get_mem_data(text_buffer, &actual_output);
    if (!TEST_str_eq(actual_output, expected_output))
        goto end;
    result = 1;

end:
    BIO_free(text_buffer);
    return result;
}

static int compare_extension_printout(X509_EXTENSION *extension,
                                      const char *expected_output)
{
    BIO *text_buffer = NULL;
    char *actual_output = NULL;
    int result = 0;

    if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem()))
            || !TEST_true(X509V3_EXT_print(text_buffer, extension,
                                           X509V3_EXT_DEFAULT, 0)))
        goto end;

    /* Append \0 because we're about to use the buffer contents as a string. */
    if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
        goto end;

    BIO_get_mem_data(text_buffer, &actual_output);
    if (!TEST_str_eq(actual_output, expected_output))
        goto end;

    result = 1;

end:
    BIO_free(text_buffer);
    return result;
}

static int assert_validity(CT_TEST_FIXTURE fixture, STACK_OF(SCT) *scts,
                           CT_POLICY_EVAL_CTX *policy_ctx)
{
    int invalid_sct_count = 0;
    int valid_sct_count = 0;
    int i;

    if (!TEST_int_ge(SCT_LIST_validate(scts, policy_ctx), 0))
        return 0;

    for (i = 0; i < sk_SCT_num(scts); ++i) {
        SCT *sct_i = sk_SCT_value(scts, i);

        switch (SCT_get_validation_status(sct_i)) {
        case SCT_VALIDATION_STATUS_VALID:
            ++valid_sct_count;
            break;
        case SCT_VALIDATION_STATUS_INVALID:
            ++invalid_sct_count;
            break;
        case SCT_VALIDATION_STATUS_NOT_SET:
        case SCT_VALIDATION_STATUS_UNKNOWN_LOG:
        case SCT_VALIDATION_STATUS_UNVERIFIED:
        case SCT_VALIDATION_STATUS_UNKNOWN_VERSION:
            /* Ignore other validation statuses. */
            break;
        }
    }

    if (!TEST_int_eq(valid_sct_count, fixture.expected_valid_sct_count)) {
        int unverified_sct_count = sk_SCT_num(scts) -
                                        invalid_sct_count - valid_sct_count;

        TEST_info("%d SCTs failed, %d SCTs unverified",
                  invalid_sct_count, unverified_sct_count);
        return 0;
    }

    return 1;
}

static int execute_cert_test(CT_TEST_FIXTURE fixture)
{
    int success = 0;
    X509 *cert = NULL, *issuer = NULL;
    STACK_OF(SCT) *scts = NULL;
    SCT *sct = NULL;
    char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
    int sct_text_len = 0;
    unsigned char *tls_sct_list = NULL;
    size_t tls_sct_list_len = 0;
    CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();

    if (fixture.sct_text_file != NULL) {
        sct_text_len = read_text_file(fixture.sct_dir, fixture.sct_text_file,
                                      expected_sct_text,
                                      CT_TEST_MAX_FILE_SIZE - 1);

        if (!TEST_int_ge(sct_text_len, 0))
            goto end;
        expected_sct_text[sct_text_len] = '\0';
    }

    CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(
            ct_policy_ctx, fixture.ctlog_store);

    CT_POLICY_EVAL_CTX_set_time(ct_policy_ctx, fixture.epoch_time_in_ms);

    if (fixture.certificate_file != NULL) {
        int sct_extension_index;
        int i;
        X509_EXTENSION *sct_extension = NULL;

        if (!TEST_ptr(cert = load_pem_cert(fixture.certs_dir,
                                           fixture.certificate_file)))
            goto end;

        CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert);

        if (fixture.issuer_file != NULL) {
            if (!TEST_ptr(issuer = load_pem_cert(fixture.certs_dir,
                                                 fixture.issuer_file)))
                goto end;
            CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer);
        }

        sct_extension_index =
                X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
        sct_extension = X509_get_ext(cert, sct_extension_index);
        if (fixture.expected_sct_count > 0) {
            if (!TEST_ptr(sct_extension))
                goto end;

            if (fixture.sct_text_file
                && !compare_extension_printout(sct_extension,
                                               expected_sct_text))
                    goto end;

            scts = X509V3_EXT_d2i(sct_extension);
            for (i = 0; i < sk_SCT_num(scts); ++i) {
                SCT *sct_i = sk_SCT_value(scts, i);

                if (!TEST_int_eq(SCT_get_source(sct_i), SCT_SOURCE_X509V3_EXTENSION)) {
                    goto end;
                }
            }

            if (fixture.test_validity) {
                if (!assert_validity(fixture, scts, ct_policy_ctx))
                    goto end;
            }
        } else if (!TEST_ptr_null(sct_extension)) {
            goto end;
        }
    }

    if (fixture.tls_sct_list != NULL) {
        const unsigned char *p = fixture.tls_sct_list;

        if (!TEST_ptr(o2i_SCT_LIST(&scts, &p, fixture.tls_sct_list_len)))
            goto end;

        if (fixture.test_validity && cert != NULL) {
            if (!assert_validity(fixture, scts, ct_policy_ctx))
                goto end;
        }

        if (fixture.sct_text_file
            && !compare_sct_list_printout(scts, expected_sct_text)) {
                goto end;
        }

        tls_sct_list_len = i2o_SCT_LIST(scts, &tls_sct_list);
        if (!TEST_mem_eq(fixture.tls_sct_list, fixture.tls_sct_list_len,
                         tls_sct_list, tls_sct_list_len))
            goto end;
    }
    success = 1;

end:
    X509_free(cert);
    X509_free(issuer);
    SCT_LIST_free(scts);
    SCT_free(sct);
    CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
    OPENSSL_free(tls_sct_list);
    return success;
}

# define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
# define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)

static int test_no_scts_in_certificate(void)
{
    SETUP_CT_TEST_FIXTURE();
    fixture.certs_dir = certs_dir;
    fixture.certificate_file = "leaf.pem";
    fixture.issuer_file = "subinterCA.pem";
    fixture.expected_sct_count = 0;
    EXECUTE_CT_TEST();
}

static int test_one_sct_in_certificate(void)
{
    SETUP_CT_TEST_FIXTURE();
    fixture.certs_dir = certs_dir;
    fixture.certificate_file = "embeddedSCTs1.pem";
    fixture.issuer_file = "embeddedSCTs1_issuer.pem";
    fixture.expected_sct_count = 1;
    fixture.sct_dir = certs_dir;
    fixture.sct_text_file = "embeddedSCTs1.sct";
    EXECUTE_CT_TEST();
}

static int test_multiple_scts_in_certificate(void)
{
    SETUP_CT_TEST_FIXTURE();
    fixture.certs_dir = certs_dir;
    fixture.certificate_file = "embeddedSCTs3.pem";
    fixture.issuer_file = "embeddedSCTs3_issuer.pem";
    fixture.expected_sct_count = 3;
    fixture.sct_dir = certs_dir;
    fixture.sct_text_file = "embeddedSCTs3.sct";
    EXECUTE_CT_TEST();
}

static int test_verify_one_sct(void)
{
    SETUP_CT_TEST_FIXTURE();
    fixture.certs_dir = certs_dir;
    fixture.certificate_file = "embeddedSCTs1.pem";
    fixture.issuer_file = "embeddedSCTs1_issuer.pem";
    fixture.expected_sct_count = fixture.expected_valid_sct_count = 1;
    fixture.test_validity = 1;
    EXECUTE_CT_TEST();
}

static int test_verify_multiple_scts(void)
{
    SETUP_CT_TEST_FIXTURE();
    fixture.certs_dir = certs_dir;
    fixture.certificate_file = "embeddedSCTs3.pem";
    fixture.issuer_file = "embeddedSCTs3_issuer.pem";
    fixture.expected_sct_count = fixture.expected_valid_sct_count = 3;
    fixture.test_validity = 1;
    EXECUTE_CT_TEST();
}

static int test_verify_fails_for_future_sct(void)
{
    SETUP_CT_TEST_FIXTURE();
    fixture.epoch_time_in_ms = 1365094800000; /* Apr 4 17:00:00 2013 GMT */
    fixture.certs_dir = certs_dir;
    fixture.certificate_file = "embeddedSCTs1.pem";
    fixture.issuer_file = "embeddedSCTs1_issuer.pem";
    fixture.expected_sct_count = 1;
    fixture.expected_valid_sct_count = 0;
    fixture.test_validity = 1;
    EXECUTE_CT_TEST();
}

static int test_decode_tls_sct(void)
{
    const unsigned char tls_sct_list[] = "\x00\x78" /* length of list */
        "\x00\x76"
        "\x00" /* version */
        /* log ID */
        "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
        "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
        "\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
        "\x00\x00" /* extensions length */
        "" /* extensions */
        "\x04\x03" /* hash and signature algorithms */
        "\x00\x47" /* signature length */
        /* signature */
        "\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
        "\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
        "\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
        "\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
        "\xED\xBF\x08";

    SETUP_CT_TEST_FIXTURE();
    fixture.tls_sct_list = tls_sct_list;
    fixture.tls_sct_list_len = 0x7a;
    fixture.sct_dir = ct_dir;
    fixture.sct_text_file = "tls1.sct";
    EXECUTE_CT_TEST();
}

static int test_encode_tls_sct(void)
{
    const char log_id[] = "3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4LvT9012Q=";
    const uint64_t timestamp = 1;
    const char extensions[] = "";
    const char signature[] = "BAMARzBAMiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUwKI+j5"
            "eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8I";
    SCT *sct = NULL;

    SETUP_CT_TEST_FIXTURE();

    fixture.sct_list = sk_SCT_new_null();
    if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id,
                                            CT_LOG_ENTRY_TYPE_X509, timestamp,
                                            extensions, signature)))

        return 0;

    sk_SCT_push(fixture.sct_list, sct);
    fixture.sct_dir = ct_dir;
    fixture.sct_text_file = "tls1.sct";
    EXECUTE_CT_TEST();
}

/*
 * Tests that the CT_POLICY_EVAL_CTX default time is approximately now.
 * Allow +-10 minutes, as it may compensate for clock skew.
 */
static int test_default_ct_policy_eval_ctx_time_is_now(void)
{
    int success = 0;
    CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
    const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) /
            1000;
    const time_t time_tolerance = 600;  /* 10 minutes */

    if (!TEST_uint_le(fabs(difftime(time(NULL), default_time)), time_tolerance))
        goto end;

    success = 1;
end:
    CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
    return success;
}

static int test_ctlog_from_base64(void)
{
    CTLOG *log = NULL;
    const char notb64[] = "\01\02\03\04";
    const char pad[] = "====";
    const char name[] = "name";

    /* We expect these to both fail! */
    if (!TEST_true(!CTLOG_new_from_base64(&log, notb64, name))
        || !TEST_true(!CTLOG_new_from_base64(&log, pad, name)))
        return 0;
    return 1;
}
#endif

int test_main(int argc, char *argv[])
{
#ifndef OPENSSL_NO_CT
    if ((ct_dir = getenv("CT_DIR")) == NULL)
        ct_dir = "ct";
    if ((certs_dir = getenv("CERTS_DIR")) == NULL)
        certs_dir = "certs";

    ADD_TEST(test_no_scts_in_certificate);
    ADD_TEST(test_one_sct_in_certificate);
    ADD_TEST(test_multiple_scts_in_certificate);
    ADD_TEST(test_verify_one_sct);
    ADD_TEST(test_verify_multiple_scts);
    ADD_TEST(test_verify_fails_for_future_sct);
    ADD_TEST(test_decode_tls_sct);
    ADD_TEST(test_encode_tls_sct);
    ADD_TEST(test_default_ct_policy_eval_ctx_time_is_now);
    ADD_TEST(test_ctlog_from_base64);

    return run_tests(argv[0]);
#else
    printf("No CT support\n");
    return EXIT_SUCCESS;
#endif
}
Commit	Line	Data
5dc31221	1	/*
9b579777	2	* Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
5dc31221	3	*
440e5d80 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
5dc31221 RP	8	*/
	9
	10	#include <ctype.h>
ebcb5368	11	#include <math.h>
5dc31221 RP	12	#include <stdio.h>
	13	#include <stdlib.h>
	14	#include <string.h>
	15
0cea8832	16	#include <openssl/ct.h>
17436ce5	17	#include <openssl/err.h>
2b2b9684	18	#include <openssl/pem.h>
17436ce5 RL	19	#include <openssl/x509.h>
17436ce5 RL	20	#include <openssl/x509v3.h>
5dc31221 RP	21	#include "testutil.h"
5dc31221 RP	22
11c8bc42	23	#ifndef OPENSSL_NO_CT
5dc31221	24	/* Used when declaring buffers to read text files into */
9b579777	25	# define CT_TEST_MAX_FILE_SIZE 8096
5dc31221	26
67336ea4 RL	27	static char *certs_dir = NULL;
67336ea4 RL	28	static char *ct_dir = NULL;
c469a9a8	29
5dc31221 RP	30	typedef struct ct_test_fixture {
5dc31221 RP	31	const char *test_case_name;
1fa9ffd9 RP	32	/* The current time in milliseconds */
1fa9ffd9 RP	33	uint64_t epoch_time_in_ms;
7d054e5a RP	34	/* The CT log store to use during tests */
7d054e5a RP	35	CTLOG_STORE* ctlog_store;
5dc31221	36	/* Set the following to test handling of SCTs in X509 certificates */
c469a9a8 RL	37	const char *certs_dir;
	38	char *certificate_file;
	39	char *issuer_file;
1fa9ffd9	40	/* Expected number of SCTs */
7d054e5a	41	int expected_sct_count;
1fa9ffd9 RP	42	/* Expected number of valid SCTS */
1fa9ffd9 RP	43	int expected_valid_sct_count;
5dc31221	44	/* Set the following to test handling of SCTs in TLS format */
4fc31f75 RP	45	const unsigned char *tls_sct_list;
	46	size_t tls_sct_list_len;
	47	STACK_OF(SCT) *sct_list;
5dc31221 RP	48	/*
	49	* A file to load the expected SCT text from.
	50	* This text will be compared to the actual text output during the test.
	51	* A maximum of \|CT_TEST_MAX_FILE_SIZE\| bytes will be read of this file.
	52	*/
c469a9a8 RL	53	const char *sct_dir;
c469a9a8 RL	54	const char *sct_text_file;
7d054e5a RP	55	/* Whether to test the validity of the SCT(s) */
7d054e5a RP	56	int test_validity;
5dc31221 RP	57	} CT_TEST_FIXTURE;
	58
	59	static CT_TEST_FIXTURE set_up(const char *const test_case_name)
	60	{
	61	CT_TEST_FIXTURE fixture;
adcd8e37	62	int ok = 0;
50eadf2a EK	63
50eadf2a EK	64	memset(&fixture, 0, sizeof(fixture));
765731a8 RP	65	fixture.test_case_name = test_case_name;
765731a8 RP	66	fixture.epoch_time_in_ms = 1473269626000; /* Sep 7 17:33:46 2016 GMT */
adcd8e37 RS	67	if (!TEST_ptr(fixture.ctlog_store = CTLOG_STORE_new())
	68	\|\| !TEST_int_eq(
	69	CTLOG_STORE_load_default_file(fixture.ctlog_store), 1))
7d054e5a	70	goto end;
adcd8e37	71	ok = 1;
5dc31221	72
7d054e5a	73	end:
adcd8e37	74	if (!ok) {
765731a8	75	CTLOG_STORE_free(fixture.ctlog_store);
adcd8e37	76	TEST_error("Failed to setup");
5dc31221 RP	77	exit(EXIT_FAILURE);
	78	}
	79	return fixture;
	80	}
	81
	82	static void tear_down(CT_TEST_FIXTURE fixture)
	83	{
7d054e5a	84	CTLOG_STORE_free(fixture.ctlog_store);
4fc31f75	85	SCT_LIST_free(fixture.sct_list);
5dc31221 RP	86	}
5dc31221 RP	87
c469a9a8 RL	88	static char mk_file_path(const char dir, const char *file)
c469a9a8 RL	89	{
9b579777	90	# ifndef OPENSSL_SYS_VMS
adcd8e37	91	const char *sep = "/";
9b579777	92	# else
adcd8e37	93	const char *sep = "";
9b579777	94	# endif
adcd8e37 RS	95	size_t len = strlen(dir) + strlen(sep) + strlen(file) + 1;
adcd8e37 RS	96	char *full_file = OPENSSL_zalloc(len);
c469a9a8	97
c469a9a8	98	if (full_file != NULL) {
adcd8e37 RS	99	OPENSSL_strlcpy(full_file, dir, len);
	100	OPENSSL_strlcat(full_file, sep, len);
	101	OPENSSL_strlcat(full_file, file, len);
c469a9a8 RL	102	}
	103
	104	return full_file;
	105	}
	106
	107	static X509 load_pem_cert(const char dir, const char *file)
5dc31221	108	{
5dc31221	109	X509 *cert = NULL;
c469a9a8	110	char *file_path = mk_file_path(dir, file);
5dc31221	111
c469a9a8 RL	112	if (file_path != NULL) {
c469a9a8 RL	113	BIO *cert_io = BIO_new_file(file_path, "r");
5dc31221	114
c469a9a8 RL	115	if (cert_io != NULL)
c469a9a8 RL	116	cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
c469a9a8 RL	117	BIO_free(cert_io);
c469a9a8 RL	118	}
adcd8e37 RS	119
adcd8e37 RS	120	OPENSSL_free(file_path);
5dc31221 RP	121	return cert;
	122	}
	123
c469a9a8 RL	124	static int read_text_file(const char dir, const char file,
c469a9a8 RL	125	char *buffer, int buffer_length)
5dc31221	126	{
adcd8e37	127	int len = -1;
c469a9a8 RL	128	char *file_path = mk_file_path(dir, file);
	129
	130	if (file_path != NULL) {
	131	BIO *file_io = BIO_new_file(file_path, "r");
5dc31221	132
adcd8e37 RS	133	if (file_io != NULL)
	134	len = BIO_read(file_io, buffer, buffer_length);
	135	BIO_free(file_io);
5dc31221 RP	136	}
5dc31221 RP	137
adcd8e37 RS	138	OPENSSL_free(file_path);
adcd8e37 RS	139	return len;
5dc31221 RP	140	}
5dc31221 RP	141
4fc31f75	142	static int compare_sct_list_printout(STACK_OF(SCT) *sct,
adcd8e37	143	const char *expected_output)
5dc31221 RP	144	{
	145	BIO *text_buffer = NULL;
	146	char *actual_output = NULL;
adcd8e37	147	int result = 0;
5dc31221	148
adcd8e37	149	if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem())))
5dc31221	150	goto end;
5dc31221	151
4fc31f75	152	SCT_LIST_print(sct, text_buffer, 0, "\n", NULL);
5dc31221	153
adcd8e37 RS	154	/* Append \0 because we're about to use the buffer contents as a string. */
adcd8e37 RS	155	if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
5dc31221	156	goto end;
5dc31221 RP	157
5dc31221 RP	158	BIO_get_mem_data(text_buffer, &actual_output);
adcd8e37 RS	159	if (!TEST_str_eq(actual_output, expected_output))
	160	goto end;
	161	result = 1;
5dc31221 RP	162
	163	end:
	164	BIO_free(text_buffer);
	165	return result;
	166	}
	167
	168	static int compare_extension_printout(X509_EXTENSION *extension,
	169	const char *expected_output)
	170	{
	171	BIO *text_buffer = NULL;
	172	char *actual_output = NULL;
adcd8e37	173	int result = 0;
5dc31221	174
adcd8e37 RS	175	if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem()))
	176	\|\| !TEST_true(X509V3_EXT_print(text_buffer, extension,
	177	X509V3_EXT_DEFAULT, 0)))
5dc31221	178	goto end;
5dc31221	179
adcd8e37 RS	180	/* Append \0 because we're about to use the buffer contents as a string. */
adcd8e37 RS	181	if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
5dc31221	182	goto end;
5dc31221 RP	183
5dc31221 RP	184	BIO_get_mem_data(text_buffer, &actual_output);
adcd8e37 RS	185	if (!TEST_str_eq(actual_output, expected_output))
adcd8e37 RS	186	goto end;
5dc31221	187
adcd8e37	188	result = 1;
5dc31221 RP	189
	190	end:
	191	BIO_free(text_buffer);
	192	return result;
	193	}
	194
adcd8e37 RS	195	static int assert_validity(CT_TEST_FIXTURE fixture, STACK_OF(SCT) *scts,
	196	CT_POLICY_EVAL_CTX *policy_ctx)
	197	{
876a1a83 RP	198	int invalid_sct_count = 0;
	199	int valid_sct_count = 0;
	200	int i;
	201
adcd8e37	202	if (!TEST_int_ge(SCT_LIST_validate(scts, policy_ctx), 0))
876a1a83	203	return 0;
876a1a83 RP	204
	205	for (i = 0; i < sk_SCT_num(scts); ++i) {
	206	SCT *sct_i = sk_SCT_value(scts, i);
adcd8e37	207
876a1a83 RP	208	switch (SCT_get_validation_status(sct_i)) {
	209	case SCT_VALIDATION_STATUS_VALID:
	210	++valid_sct_count;
	211	break;
	212	case SCT_VALIDATION_STATUS_INVALID:
	213	++invalid_sct_count;
	214	break;
f3b3d7f0 RS	215	case SCT_VALIDATION_STATUS_NOT_SET:
	216	case SCT_VALIDATION_STATUS_UNKNOWN_LOG:
	217	case SCT_VALIDATION_STATUS_UNVERIFIED:
	218	case SCT_VALIDATION_STATUS_UNKNOWN_VERSION:
876a1a83 RP	219	/* Ignore other validation statuses. */
	220	break;
	221	}
	222	}
	223
adcd8e37	224	if (!TEST_int_eq(valid_sct_count, fixture.expected_valid_sct_count)) {
876a1a83	225	int unverified_sct_count = sk_SCT_num(scts) -
adcd8e37 RS	226	invalid_sct_count - valid_sct_count;
	227
	228	TEST_info("%d SCTs failed, %d SCTs unverified",
	229	invalid_sct_count, unverified_sct_count);
876a1a83 RP	230	return 0;
	231	}
	232
	233	return 1;
	234	}
	235
5dc31221 RP	236	static int execute_cert_test(CT_TEST_FIXTURE fixture)
5dc31221 RP	237	{
ababe86b	238	int success = 0;
7d054e5a RP	239	X509 cert = NULL, issuer = NULL;
7d054e5a RP	240	STACK_OF(SCT) *scts = NULL;
5dc31221 RP	241	SCT *sct = NULL;
	242	char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
	243	int sct_text_len = 0;
4fc31f75 RP	244	unsigned char *tls_sct_list = NULL;
4fc31f75 RP	245	size_t tls_sct_list_len = 0;
7d054e5a	246	CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
5dc31221	247
c469a9a8 RL	248	if (fixture.sct_text_file != NULL) {
	249	sct_text_len = read_text_file(fixture.sct_dir, fixture.sct_text_file,
	250	expected_sct_text,
	251	CT_TEST_MAX_FILE_SIZE - 1);
5dc31221	252
adcd8e37	253	if (!TEST_int_ge(sct_text_len, 0))
5dc31221	254	goto end;
5dc31221 RP	255	expected_sct_text[sct_text_len] = '\0';
	256	}
	257
a1bb7708 RP	258	CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(
a1bb7708 RP	259	ct_policy_ctx, fixture.ctlog_store);
7d054e5a	260
1fa9ffd9 RP	261	CT_POLICY_EVAL_CTX_set_time(ct_policy_ctx, fixture.epoch_time_in_ms);
1fa9ffd9 RP	262
c469a9a8	263	if (fixture.certificate_file != NULL) {
5dc31221	264	int sct_extension_index;
c9cf4bc8	265	int i;
5dc31221	266	X509_EXTENSION *sct_extension = NULL;
5dc31221	267
adcd8e37 RS	268	if (!TEST_ptr(cert = load_pem_cert(fixture.certs_dir,
adcd8e37 RS	269	fixture.certificate_file)))
5dc31221	270	goto end;
5dc31221	271
a1bb7708	272	CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert);
7d054e5a	273
c469a9a8	274	if (fixture.issuer_file != NULL) {
adcd8e37 RS	275	if (!TEST_ptr(issuer = load_pem_cert(fixture.certs_dir,
adcd8e37 RS	276	fixture.issuer_file)))
7d054e5a	277	goto end;
a1bb7708	278	CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer);
7d054e5a RP	279	}
	280
	281	sct_extension_index =
	282	X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
5dc31221 RP	283	sct_extension = X509_get_ext(cert, sct_extension_index);
5dc31221 RP	284	if (fixture.expected_sct_count > 0) {
adcd8e37	285	if (!TEST_ptr(sct_extension))
5dc31221	286	goto end;
5dc31221	287
ababe86b	288	if (fixture.sct_text_file
adcd8e37 RS	289	&& !compare_extension_printout(sct_extension,
adcd8e37 RS	290	expected_sct_text))
7d054e5a	291	goto end;
7d054e5a	292
c9cf4bc8 AG	293	scts = X509V3_EXT_d2i(sct_extension);
	294	for (i = 0; i < sk_SCT_num(scts); ++i) {
	295	SCT *sct_i = sk_SCT_value(scts, i);
14db9bbd	296
c9cf4bc8 AG	297	if (!TEST_int_eq(SCT_get_source(sct_i), SCT_SOURCE_X509V3_EXTENSION)) {
c9cf4bc8 AG	298	goto end;
5da65ef2	299	}
c9cf4bc8	300	}
7d054e5a	301
c9cf4bc8	302	if (fixture.test_validity) {
876a1a83	303	if (!assert_validity(fixture, scts, ct_policy_ctx))
5dc31221 RP	304	goto end;
5dc31221 RP	305	}
adcd8e37	306	} else if (!TEST_ptr_null(sct_extension)) {
5dc31221 RP	307	goto end;
	308	}
	309	}
	310
4fc31f75 RP	311	if (fixture.tls_sct_list != NULL) {
4fc31f75 RP	312	const unsigned char *p = fixture.tls_sct_list;
adcd8e37 RS	313
adcd8e37 RS	314	if (!TEST_ptr(o2i_SCT_LIST(&scts, &p, fixture.tls_sct_list_len)))
5dc31221	315	goto end;
5dc31221	316
43341433	317	if (fixture.test_validity && cert != NULL) {
876a1a83	318	if (!assert_validity(fixture, scts, ct_policy_ctx))
43341433	319	goto end;
43341433 VD	320	}
43341433 VD	321
ababe86b	322	if (fixture.sct_text_file
adcd8e37	323	&& !compare_sct_list_printout(scts, expected_sct_text)) {
5dc31221 RP	324	goto end;
	325	}
	326
4fc31f75	327	tls_sct_list_len = i2o_SCT_LIST(scts, &tls_sct_list);
adcd8e37 RS	328	if (!TEST_mem_eq(fixture.tls_sct_list, fixture.tls_sct_list_len,
adcd8e37 RS	329	tls_sct_list, tls_sct_list_len))
5dc31221	330	goto end;
5dc31221	331	}
ababe86b	332	success = 1;
5dc31221 RP	333
	334	end:
	335	X509_free(cert);
7d054e5a RP	336	X509_free(issuer);
7d054e5a RP	337	SCT_LIST_free(scts);
5dc31221	338	SCT_free(sct);
7d054e5a	339	CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
4fc31f75	340	OPENSSL_free(tls_sct_list);
ababe86b	341	return success;
5dc31221 RP	342	}
5dc31221 RP	343
9b579777 P	344	# define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
9b579777 P	345	# define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)
5dc31221	346
62b0a0de	347	static int test_no_scts_in_certificate(void)
5dc31221 RP	348	{
5dc31221 RP	349	SETUP_CT_TEST_FIXTURE();
c469a9a8 RL	350	fixture.certs_dir = certs_dir;
	351	fixture.certificate_file = "leaf.pem";
	352	fixture.issuer_file = "subinterCA.pem";
5dc31221 RP	353	fixture.expected_sct_count = 0;
	354	EXECUTE_CT_TEST();
	355	}
	356
62b0a0de	357	static int test_one_sct_in_certificate(void)
5dc31221 RP	358	{
5dc31221 RP	359	SETUP_CT_TEST_FIXTURE();
c469a9a8 RL	360	fixture.certs_dir = certs_dir;
	361	fixture.certificate_file = "embeddedSCTs1.pem";
	362	fixture.issuer_file = "embeddedSCTs1_issuer.pem";
5dc31221	363	fixture.expected_sct_count = 1;
c469a9a8 RL	364	fixture.sct_dir = certs_dir;
c469a9a8 RL	365	fixture.sct_text_file = "embeddedSCTs1.sct";
5dc31221 RP	366	EXECUTE_CT_TEST();
	367	}
	368
62b0a0de	369	static int test_multiple_scts_in_certificate(void)
5dc31221 RP	370	{
5dc31221 RP	371	SETUP_CT_TEST_FIXTURE();
c469a9a8 RL	372	fixture.certs_dir = certs_dir;
	373	fixture.certificate_file = "embeddedSCTs3.pem";
	374	fixture.issuer_file = "embeddedSCTs3_issuer.pem";
5dc31221	375	fixture.expected_sct_count = 3;
c469a9a8 RL	376	fixture.sct_dir = certs_dir;
c469a9a8 RL	377	fixture.sct_text_file = "embeddedSCTs3.sct";
5dc31221 RP	378	EXECUTE_CT_TEST();
	379	}
	380
62b0a0de	381	static int test_verify_one_sct(void)
7d054e5a RP	382	{
7d054e5a RP	383	SETUP_CT_TEST_FIXTURE();
c469a9a8 RL	384	fixture.certs_dir = certs_dir;
	385	fixture.certificate_file = "embeddedSCTs1.pem";
	386	fixture.issuer_file = "embeddedSCTs1_issuer.pem";
1fa9ffd9	387	fixture.expected_sct_count = fixture.expected_valid_sct_count = 1;
7d054e5a RP	388	fixture.test_validity = 1;
	389	EXECUTE_CT_TEST();
	390	}
	391
62b0a0de	392	static int test_verify_multiple_scts(void)
7d054e5a RP	393	{
7d054e5a RP	394	SETUP_CT_TEST_FIXTURE();
c469a9a8 RL	395	fixture.certs_dir = certs_dir;
	396	fixture.certificate_file = "embeddedSCTs3.pem";
	397	fixture.issuer_file = "embeddedSCTs3_issuer.pem";
1fa9ffd9 RP	398	fixture.expected_sct_count = fixture.expected_valid_sct_count = 3;
	399	fixture.test_validity = 1;
	400	EXECUTE_CT_TEST();
	401	}
	402
62b0a0de	403	static int test_verify_fails_for_future_sct(void)
1fa9ffd9 RP	404	{
	405	SETUP_CT_TEST_FIXTURE();
	406	fixture.epoch_time_in_ms = 1365094800000; /* Apr 4 17:00:00 2013 GMT */
	407	fixture.certs_dir = certs_dir;
	408	fixture.certificate_file = "embeddedSCTs1.pem";
	409	fixture.issuer_file = "embeddedSCTs1_issuer.pem";
	410	fixture.expected_sct_count = 1;
	411	fixture.expected_valid_sct_count = 0;
7d054e5a RP	412	fixture.test_validity = 1;
	413	EXECUTE_CT_TEST();
	414	}
	415
62b0a0de	416	static int test_decode_tls_sct(void)
5dc31221	417	{
4fc31f75 RP	418	const unsigned char tls_sct_list[] = "\x00\x78" /* length of list */
	419	"\x00\x76"
	420	"\x00" /* version */
5dc31221 RP	421	/* log ID */
	422	"\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
	423	"\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
	424	"\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
	425	"\x00\x00" /* extensions length */
	426	"" /* extensions */
	427	"\x04\x03" /* hash and signature algorithms */
	428	"\x00\x47" /* signature length */
dc919c69	429	/* signature */
5dc31221 RP	430	"\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
	431	"\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
	432	"\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
	433	"\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
dc919c69 RP	434	"\xED\xBF\x08";
	435
	436	SETUP_CT_TEST_FIXTURE();
4fc31f75 RP	437	fixture.tls_sct_list = tls_sct_list;
4fc31f75 RP	438	fixture.tls_sct_list_len = 0x7a;
c469a9a8 RL	439	fixture.sct_dir = ct_dir;
c469a9a8 RL	440	fixture.sct_text_file = "tls1.sct";
5dc31221 RP	441	EXECUTE_CT_TEST();
	442	}
	443
62b0a0de	444	static int test_encode_tls_sct(void)
5dc31221	445	{
f7a39a5a RP	446	const char log_id[] = "3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4LvT9012Q=";
	447	const uint64_t timestamp = 1;
	448	const char extensions[] = "";
e2635c49 RP	449	const char signature[] = "BAMARzBAMiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUwKI+j5"
e2635c49 RP	450	"eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8I";
765731a8	451	SCT *sct = NULL;
dc919c69	452
5dc31221 RP	453	SETUP_CT_TEST_FIXTURE();
5dc31221 RP	454
765731a8	455	fixture.sct_list = sk_SCT_new_null();
adcd8e37 RS	456	if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id,
	457	CT_LOG_ENTRY_TYPE_X509, timestamp,
	458	extensions, signature)))
f7a39a5a	459
d836d71b	460	return 0;
4fc31f75	461
765731a8	462	sk_SCT_push(fixture.sct_list, sct);
c469a9a8 RL	463	fixture.sct_dir = ct_dir;
c469a9a8 RL	464	fixture.sct_text_file = "tls1.sct";
5dc31221	465	EXECUTE_CT_TEST();
5dc31221 RP	466	}
5dc31221 RP	467
ebcb5368 RP	468	/*
	469	* Tests that the CT_POLICY_EVAL_CTX default time is approximately now.
	470	* Allow +-10 minutes, as it may compensate for clock skew.
	471	*/
62b0a0de	472	static int test_default_ct_policy_eval_ctx_time_is_now(void)
ebcb5368 RP	473	{
	474	int success = 0;
	475	CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
	476	const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) /
	477	1000;
	478	const time_t time_tolerance = 600; /* 10 minutes */
	479
adcd8e37	480	if (!TEST_uint_le(fabs(difftime(time(NULL), default_time)), time_tolerance))
ebcb5368	481	goto end;
ebcb5368 RP	482
	483	success = 1;
	484	end:
	485	CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
	486	return success;
	487	}
	488
62b0a0de BK	489	static int test_ctlog_from_base64(void)
	490	{
	491	CTLOG *log = NULL;
	492	const char notb64[] = "\01\02\03\04";
	493	const char pad[] = "====";
	494	const char name[] = "name";
	495
	496	/* We expect these to both fail! */
	497	if (!TEST_true(!CTLOG_new_from_base64(&log, notb64, name))
	498	\|\| !TEST_true(!CTLOG_new_from_base64(&log, pad, name)))
	499	return 0;
	500	return 1;
	501	}
9b579777	502	#endif
62b0a0de	503
e364c3b2	504	int test_main(int argc, char *argv[])
5dc31221	505	{
9b579777	506	#ifndef OPENSSL_NO_CT
adcd8e37 RS	507	if ((ct_dir = getenv("CT_DIR")) == NULL)
	508	ct_dir = "ct";
	509	if ((certs_dir = getenv("CERTS_DIR")) == NULL)
	510	certs_dir = "certs";
5dc31221 RP	511
	512	ADD_TEST(test_no_scts_in_certificate);
	513	ADD_TEST(test_one_sct_in_certificate);
	514	ADD_TEST(test_multiple_scts_in_certificate);
7d054e5a RP	515	ADD_TEST(test_verify_one_sct);
7d054e5a RP	516	ADD_TEST(test_verify_multiple_scts);
1fa9ffd9	517	ADD_TEST(test_verify_fails_for_future_sct);
5dc31221 RP	518	ADD_TEST(test_decode_tls_sct);
5dc31221 RP	519	ADD_TEST(test_encode_tls_sct);
ebcb5368	520	ADD_TEST(test_default_ct_policy_eval_ctx_time_is_now);
62b0a0de	521	ADD_TEST(test_ctlog_from_base64);
5dc31221	522
adcd8e37	523	return run_tests(argv[0]);
42e055e1	524	#else
42e055e1	525	printf("No CT support\n");
9b579777	526	return EXIT_SUCCESS;
e364c3b2	527	#endif
9b579777	528	}